In October of this year, the ISO Information security, cybersecurity, and privacy protection subcommittee (ISO/IEC JTC 1/SC 27) released ISO 27001:2022 and supporting guidance documentation. Many industry experts and consulting firms have shared their take on the changes, and while summaries vary, the consensus is as follows:

  • There is a handful of Annex SL controls that most certified organizations will adapt with little concern.
  • The Annex A controls are reorganized from 14 domains into 4 clauses and the number of Annex A controls will drop from 114 to 93. There are 11 new controls and 58 modified controls.
  • Please refer to our previous blog post for guidance on how to merge these new changes into your current ISMS program.

ISO 27001 TimelineCertified organizations have three years to align with the standard and must transition to the 2022 revision by October 31, 2025 but waiting this long to comply is not recommended.

Advances in the standard surrounding cloud security, metrics and monitoring, and threat intelligence are worth addressing as soon as possible! In addition, you’ll want to give your organization time to adapt to the changes, confirm that your responses are effective, and conduct formal training across your organization on both the new standard and the areas impacted by the standard updates.

Existing ISO Certifications

Organizations with an ISO27001:2013 certification may request certification against ISO 27001:2022 now, or anytime after October 25, 2022. The obstacles to an immediate certification are finding a suitable certification body with auditors trained to the new standard and obtaining the necessary training on the new standard for your own organization. Instead of seeking immediate certification, our Dayspring experts recommend that companies should maintain their current ISMS against ISO 27001:2013 through 2022 and into the first half of 2023. Use the first half of 2023 to budget, plan, and scope for the updates. A leadership-committed budget, planning, and scoping are essential transition tasks and should be documented as part of Annex SL 5.1, 6.1, and 6.2. Be certain to budget time and resources for thorough training!

Allow the size of your ISMS to dictate the pace at which you move, and look at risk areas addressed in the new standard first, such as cloud-heavy business units, etc. Budget these areas for transition first, then add other sites or departments within your scope. GRC tools have already started releasing the new standard content, and Dayspring has updated our assessment tools as well.

New ISO 27001:2022 Certifications

New certifications, for those who have never been audited against ISO 27001 before, may be obtained for the ISO 27001:2013 version until October 31, 2023. After that, all new certifications must be against the ISO 27001:2022 version. We recommend that anyone seeking a new certification in 2023 target the ISO 27001:2022 version of the standard for their first certification. If you are currently in the middle of a project requiring ISO 27001 certifications, Dayspring recommends addressing both ISO 27001:2013 and ISO 27001:2022 controls to ensure long-term compliance. 

Dayspring personnel are certified lead ISO 27001 lead auditors and implementers and are available to review and create appropriate transition plans for your company. Contact us at consulting@dayspringtechnology.com or visit here to learn more.